Mass surveillance is Being Undermined by the ‘Snowden Effect’

images?q=tbn:ANd9GcSaVZsC4O01k2zO_JsxeOSUw3QZru5SN-hydKPZFLwR7c4KiHkh

Alex Krasodomski is a researcher at the Centre for the Analysis of Social Media at Demos

We are in the middle of a Crypto war again. Perhaps we have always been in the middle of a Crypto war. Since the 70s, the right and ability to encrypt private communications has been fought over, time and again. Here in the UK, Cameron’s re-election has prompted reports of a ‘turbo-charged’ version of the so-called ‘Snoopers’ Charter’, extending further the powers of surveillance that the whistleblower Edward Snowden described as having ‘no limits’.

Two nights ago, the US Patriot Act expired. With it, at least officially, elements of the NSA’s bulk surveillance programme expired too. The law was passed in the wake of 9/11, in order to ‘strengthen domestic security’ and ‘broaden the powers of law-enforcement agencies with regards to identifying and stopping terrorists’. Section 215 of the Act had allowed the NSA to collect mobile phone data on millions of Americans. For the time being, that provision has gone. In the same week, the UN published a report saying encryption is ‘crucial for human rights’.

But the law is only half the story. Privacy advocates were, of course, cautious not to overstate the significance of the act’s suspension. But behind this caution, their successes are far more extensive than the symbolic demise of the Patriot Act. From the perspective of surveillance, the damage has already been done.

The ‘Snowden effect’, named after the whistleblower responsible for outing government surveillance in the US and UK, has brought more companies and technologists to the fight. Their purpose? To provide privacy tools that are powerful, open-source and accessible to the masses. And these groups are winning. As fears over our privacy continue to grow and the government talks about further extending surveillance capability, ordinary people are turning to these tools. What’s more, for the first time, they are beginning to be adopted on a massive scale.

Scale is a significant change, and a significant challenge to security services. Take Tor. Tor is a web browser-cum-network that scrambles your connections and makes your internet browsing more difficult to track. Both Tor and other publicly-available encryption tools always come with a caveat. Although frequently very powerful, especially in combination with one another, they are not perfect. With enough work and with the resources at the disposal of government organisations, a single user’s communications are at risk: the sheer firepower that the security services can use to break into secure channels means that a single suspect is up against it.

This is probably a good thing. If we believe our security services should have the resources to protect us from those who would plan acts of terrorism, for example, then they must be able to intercept the communications of suspects under investigation. Isis advise use of encryption to its supporters in order to protect their identities and whereabouts. Anders Breivik wrote a blog on it. If a suspect was under investigation we would rightly expect MI5 to use wiretaps and human surveillance, after all. Digital communications should be no different.

But what the mass uptake of this kind of software threatens is mass surveillance. Cracking one encryption key is difficult but possible. Cracking millions is a different proposition. Mass uptake of encryption and of VPNs – virtual private networks designed to hide your identity – is anathema to dragnet collection of data.

Take instant messaging, for example. It is estimated that the 700m users of the app WhatsApp currently send thirty billion messages a day. This alone poses a real challenge to those calling for those messages to be somehow ‘read’ and analysed; how on earth do you read 350,000 messages a second? Over the past few years the Centre for the Analysis of Social media at Demos has done a lot of work in partnership with the University of Sussex on ‘Natural Language Processing’, the science of teaching computers to find meaning in the words we use. Conclusion: it isn’t easy. Algorithms are never perfect, and they go out of date quickly as the way we speak changes.

But now, WhatsApp on Android is end-to-end encrypted, with the possibility of extending this to iOS. Thirty billion encrypted messages a day on one platform alone. True, the levels of encryption provided to a single user under investigation won’t stand up to security service surgery, but they will provide a strong barrier to understanding this data in bulk.

WhatsApp is owned by Facebook. Today, Facebook announced the site would allow its users to encrypt emails sent from the site to their personal accounts. It already provides a ‘dark web’ link which allows access through Tor. Whether its users will take advantage of this to increase their levels of security isn’t clear, but it is tacit approval of encryption from one of the biggest technology companies on the planet. And it isn’t just encrypted communications that are becoming more mainstream.

Hola is a peer-to-peer network. It claims to ‘provide everyone on the planet with freedom to access all of the Web’. Put simply, when you use it, your connection is routed through somebody else’s computer, and when you’re not using it, your computer is offered to others for the same purpose. It is wildly popular among those looking to dodge restrictions placed on, say, television shows. Recent estimates place its use at fifty million worldwide.

Hola has been the subject of some controversy of late: above all, they weren’t quite being straight up about the risks of letting somebody else use your internet connection. Nevertheless, it is the first example of a network that is both very difficult to monitor and censor that has really hit the mainstream by offering a slick and desirable service. The much more ethically-sound and established Tor browser has less than a tenth of its userbase, but is also growing. The Ethereum project is a similar attempt to decentralise the internet and take it out of the control of the government and big companies, making it more private and impossible to censor. It raised $12 million in crowd-funded support.

What this means for the security services, and our own security, is difficult to say. The UN has recognised the vital role these tools play in protecting those at risk of oppression. Human rights activists living under government oppression, for example, or citizens looking to bypass government censorship all rely on these tools daily to avoid persecution. In our recent Demos report with my colleague Jamie Bartlett we argue that there is a balance that must be struck in dealing with this kind of powerful technology.

But lack of dialogue between governments and cryptographers, the no-man’s land between the two sides of this crypto war, is deafening. As long as the security services remain silent and Snowden keeps talking, encryption and moves to protect private communication on the internet will accelerate. It is time the government joined the debate, not as enemies of privacy, but as level-headed, publicly accountable figures whose job it is to protect us from those who would do us harm.

Spectator: http://ow.ly/NRX6b 

Alex Krasodomski is a researcher at the Centre for the Analysis of Social Media at Demos. He can be found tweeting @akrasodomski

« Cyber Vulnerability Report 2015
NSA Surveillance Reform - Snowden’s Vindication. »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Free Access: Cyber Security Supplier Directory listing 5,000+ specialist service providers.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Activereach

Activereach

Activereach provides a complete range of Internet, networking, voice & security solutions to businesses across the UK and Europe.

SecuriThings

SecuriThings

SecuriThings is a User and Entity Behavioral Analytics (UEBA) solution for IoT security.

Greenbone Networks

Greenbone Networks

Greenbone Networks delivers a vulnerability analysis solution for enterprise IT which includes reporting and security change management.

SparkCognition

SparkCognition

SparkCognition’s AI-powered solutions enhance cybersecurity, identify and prevent equipment failures before they happen, and provide prescriptive intelligence for maintaining your most critical assets

ClearBlade

ClearBlade

ClearBlade is the Edge Computing software company enabling enterprises to rapidly engineer and run secure, real-time, scalable IoT applications.

DNX Ventures

DNX Ventures

Based in Silicon Valley and Tokyo, DNX Ventures is an early stage VC for B2B startups in sectors including Cybersecurity.

Hexaware Technologies

Hexaware Technologies

Hexaware is an automation-led next-generation service provider delivering excellence in IT, BPO and Consulting services.

North West Cyber Resilience Centre (NWCRC)

North West Cyber Resilience Centre (NWCRC)

The North West Cyber Resilience Centre is a trusted, not-for-profit venture between Greater Manchester Police and Manchester Digital.